amplihack/.pre-commit-config.yaml at main · rysweet/amplihack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Comprehensive Pre-commit Configuration
# Enforces same quality gates as CI to catch issues before pushing
# https://pre-commit.com/

# Skip specific hooks: SKIP=hook_id git commit
# Bypass all hooks: git commit --no-verify

default_language_version:
  python: python3

repos:
  # Essential file and merge checks
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: check-merge-conflict
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
        exclude: '^(mkdocs\.yml|.*outside-in-testing/examples/electron/.*\.yaml)$'
      - id: check-json
        exclude: '^\.devcontainer/devcontainer\.json$'
      - id: check-toml
      - id: check-added-large-files
        args: ["--maxkb=500"]
      - id: check-case-conflict
      # Temporarily disabled to focus on core enhancements (TODO: fix in separate PR)
      # - id: check-executables-have-shebangs
      # - id: check-shebang-scripts-are-executable

  # Python - Ruff linting with balanced rules
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.13.0
    hooks:
      - id: ruff
        args:
          - --fix
          - --select=E,F,W,I,UP,YTT,B,A,C4,T10,ISC,ICN,PIE,PYI,RSE,RET,SIM,RUF
          - --ignore=ANN,D
          - --ignore=COM812,COM819
          - --ignore=ISC001
          - --ignore=Q000,Q001,Q002,Q003
          - --ignore=T201
          - --ignore=S101
          - --ignore=TRY003
          - --ignore=EM101,EM102
          - --ignore=FBT001,FBT002
          - --ignore=PLR2004
          - --ignore=SLF001
          - --ignore=BLE001
          - --ignore=E501
          - --ignore=N999,N806
          - --ignore=SIM117,SIM105,SIM102,SIM110,SIM108,SIM103,SIM118
          - --ignore=RSE102
          - --ignore=B904,B007,B019,B011
          - --ignore=RUF001,RUF012,RUF013,RUF015,RUF022,RUF005,RUF059,RUF043
          - --ignore=E402
          - --ignore=RET504
          - --ignore=C414,C401
          - --ignore=ERA001
          - --ignore=A001,A002,A004
          - --ignore=PIE810
      - id: ruff-format

  # Security scanning with bandit (temporarily disabled - integrate gradually)
  # - repo: https://github.com/PyCQA/bandit
  #   rev: 1.7.5
  #   hooks:
  #     - id: bandit
  #       args: [-r, --format=custom, --skip=B101,B601,B324,B104,B602,B110,B108]
  #       exclude: '^tests/.*\.py$'
  #       additional_dependencies: ["pbr"]

  # Python - Type checking with pyright (strict mode)
  - repo: https://github.com/RobertCraigie/pyright-python
    rev: v1.1.405
    hooks:
      - id: pyright
        exclude: '^(\.claude/tools/test-utilities/.*\.py$|\.github/scripts/.*\.py$|src/amplihack/memory/backends/kuzu_backend\.py$|src/amplihack/memory/kuzu/.*\.py$|src/amplihack/vendor/.*\.py$)'

  # JavaScript/TypeScript/Markdown formatting
  - repo: https://github.com/pre-commit/mirrors-prettier
    rev: v4.0.0-alpha.8
    hooks:
      - id: prettier
        types_or: [javascript, jsx, ts, tsx, json, yaml, markdown]

  # Secret detection - CRITICAL for security
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        exclude: .*\.lock$|package-lock\.json$

  # Custom quality gates to match CI standards
  - repo: local
    hooks:
      # Enforce logging over print statements in production code
      - id: no-print-statements
        name: No print statements in production code
        entry: bash
        args:
          - -c
          - |
            if find src/ -name "*.py" -not -path "*/tests/*" -exec grep -l "print(" {} \; | grep -v "# noqa.*print"; then
              echo "WARNING: Found print() statements in production code. Consider using logging instead."
              echo "This will become an error in future versions. Add '# noqa: print' to bypass temporarily."
            fi
        language: system
        pass_filenames: false
        files: '^src/.*\.py$'

      # Check for development artifacts in production code
      - id: no-dev-artifacts
        name: No development artifacts in production code
        entry: bash
        args:
          - -c
          - |
            if find src/ -name "*.py" -not -path "*/tests/*" -exec grep -l -i "fixme\|todo\|xxx\|hack" {} \; | grep -v "# noqa"; then
              echo "WARNING: Found development artifacts in production code."
              echo "This will become an error in future versions. Add '# noqa' to bypass temporarily."
            fi
        language: system
        pass_filenames: false
        files: '^src/.*\.py$'

      # Ensure proper error handling (no bare except clauses)
      - id: no-bare-except
        name: No bare except clauses
        entry: bash
        args:
          - -c
          - |
            if find src/ -name "*.py" -exec grep -l "except:" {} \; | grep -v "# noqa"; then
              echo "ERROR: Found bare except clauses. Use specific exception types."
              exit 1
            fi
        language: system
        pass_filenames: false
        files: '^src/.*\.py$'

      # Check for potential security issues in error messages
      - id: secure-error-messages
        name: Check for secure error message patterns
        entry: bash
        args:
          - -c
          - |
            if find src/ -name "*.py" -exec grep -l -E "(Exception.*path|Error.*password|\.py.*line)" {} \; | grep -v "# noqa"; then
              echo "WARNING: Found potentially sensitive information in error messages."
            fi
        language: system
        pass_filenames: false
        files: '^src/.*\.py$'

      # Validate hooks synchronization between settings.json and UVX template
      - id: sync-hooks-validation
        name: Validate hooks sync between settings files
        entry: python3 src/amplihack/utils/sync_validator.py
        language: system
        files: '^(\.claude/settings\.json|src/amplihack/utils/uvx_settings_template\.json)$'
        pass_filenames: false

      # Import validation - catches missing type hints and import errors
      - id: check-imports
        name: Validate Python imports and type hints
        entry: python3 scripts/pre-commit/check_imports.py
        language: system
        types: [python]
        pass_filenames: true
        exclude: '^(build_hooks\.py$|\.claude/tools/amplihack/.*\.py$|\.claude/tools/xpia/.*\.py$|\.claude/skills/.*\.py$|\.github/scripts/.*\.py$|tests/.*\.py$|.*/tests/.*\.py$|archive/.*\.py$|experiments/.*\.py$|src/amplihack/memory/backends/kuzu_backend\.py$|src/amplihack/memory/kuzu/.*\.py$|src/amplihack/vendor/.*\.py$)'

      # Dependency validation - ensures optional deps have try/except
      - id: check-dependencies
        name: Validate optional dependency handling
        entry: python3 scripts/pre-commit/check_dependencies.py
        language: system
        types: [python]
        pass_filenames: true
        exclude: '^(tests/.*\.py$|.*/tests/.*\.py$|scripts/test_.*\.py$|experiments/.*\.py$|src/amplihack/vendor/.*\.py$)'